Standard contractual clause on data protection 
on DG BUDG models 


Special conditions: 


1.9.1 Processing of personal data by the contracting authority 


For the purpose of Article 11.9.1, 


(a) the data controller is [insert position of the data controller and name of the 
organisational entity]; 
(b) the data protection notice is available at https://ec.europa.eu/info/data-protection- 


public-procurement-procedures_en. 


1.9.2 | Processing of personal data by the contractor 


[This clause is not applicable to this FWC.]* 


[For the purpose of Article 11.9.2, 


(a) the subject matter and purpose of the processing of personal data by the contractor are 
[provide a short and concise description of the subject matter and purpose]; 


(b) The localisation of and access to the personal data processed by the contractor shall 
comply with the following’: 


ii. 


iv. 


the personal data shall only be processed within the territory of [the European 
Union and the European Economic Area][...] and will not leave that territory; 
the data shall only be held in data centres located with the territory of [the 
European Union and the European Economic Area][...]; 

[no access shall be given to such data outside of [the European Union and the 
European Economic Area][...]] [access to data may be given on a need to 
know basis only to authorised persons established in a country which has been 
recognised by the European Commission as providing adequate protection to 
personal data]; 

the contractor may not change the location of data processing without the prior 
written authorisation of the contracting authority; 

any transfer of personal data under the FWC to third countries or international 
organisations shall fully comply with the requirements laid down in Chapter V 
of Regulation (EU)2018/1725°.] 


This clause must only be deleted for contracts where personal data is not intended to be 


processed by the contractor, e.g.: logistics, most evaluation services, studies and translation 


services. 
This clause must be adapted with care on the basis of a risk assessment related to the processing 


of personal data for the relevant contract. 


General Conditions 
II.9.1 Processing of personal data by the contracting authority 


Any personal data included in or relating to the FWC, including its implementation, shall be 
processed in accordance with Regulation (EU) No 2018/1725. Such data shall be processed 
solely for the purposes of the implementation, management and monitoring of the FWC by 
the data controller. 


The contractor or any other person whose personal data is processed by the data controller in 
relation to this FWC has specific rights as a data subject under Chapter III (Articles 14-25) of 
Regulation (EU) No 2018/1725, in particular the right to access, rectify or erase their personal 
data and the right to restrict or, where applicable, the right to object to processing or the right 
to data portability. 


Should the contractor or any other person whose personal data is processed in relation to this 
FWC have any queries concerning the processing of its personal data, it shall address itself to 
the data controller. They may also address themselves to the Data Protection Officer of the 
data controller. They have the right to lodge a complaint at any time to the European Data 
Protection Supervisor. 


Details concerning the processing of personal data are available in the data protection notice 
referred to in Article 1.9. 


II.9.2 Processing of personal data by the contractor 


The processing of personal data by the contractor shall meet the requirements of Regulation 
(EU) No 2018/1725 and be processed solely for the purposes set out by the controller. 


The contractor shall assist the controller for the fulfilment of the controller’s obligation to 
respond to requests for exercising rights of person whose personal data is processed in 
relation to this FWC as laid down in Chapter III (Articles 14-25) of Regulation (EU) No 
2018/1725. The contractor shall inform without delay the controller about such requests. 


The contractor may act only on documented written instructions and under the supervision of 
the controller, in particular with regard to the purposes of the processing, the categories of 
data that may be processed, the recipients of the data and the means by which the data subject 
may exercise its rights. 


> Regulation (EU) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to 
the processing of personal data by the Union institutions, bodies, offices and agencies and on the 
free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 
1247/2002/EC, OJ L 295/39, 21.11.2018, https://eur-lex.europa.eu/legal- 


content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=EN 


The contractor shall grant personnel access to the data to the extent strictly necessary for the 
implementation, management and monitoring of the FWC. The contractor must ensure that 
personnel authorised to process personal data has committed itself to confidentiality or is 
under appropriate statutory obligation of confidentiality in accordance with the provisions of 
Article II.8. 


The contractor shall adopt appropriate technical and organisational security measures, giving 
due regard to the risks inherent in the processing and to the nature, scope, context and 
purposes of processing, in order to ensure, in particular, as appropriate: 


(a) the pseudonymisation and encryption of personal data; 

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of 
processing systems and services; 

(c) the ability to restore the availability and access to personal data in a timely manner in 
the event of a physical or technical incident; 

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical 
and organisational measures for ensuring the security of the processing; 

(e) measures to protect personal data from accidental or unlawful destruction, loss, 
alteration, unauthorised disclosure of or access to personal data transmitted, stored or 
otherwise processed. 


The contractor shall notify relevant personal data breaches to the controller without undue 
delay and at the latest within 48 hours after the contractor becomes aware of the breach. In 
such cases, the contractor shall provide the controller with at least the following information: 


(a) nature of the personal data breach including where possible, the categories and 
approximate number of data subjects concerned and the categories and approximate 
number of personal data records concerned; 

(b) likely consequences of the breach; 

(c) measures taken or proposed to be taken to address the breach, including, where 
appropriate, measures to mitigate its possible adverse effects. 


The contractor shall immediately inform the data controller if, in its opinion, an instruction 
infringes Regulation (EU) 2018/1725, Regulation (EU) 2016/679, or other Union or Member 
State data protection provisions as referred to in the tender specifications. 


The contractor shall assist the controller for the fulfilment of its obligations pursuant to 
Article 33 to 41 under Regulation (EU) 2018/1725 to: 


(a) ensure compliance with its data protection obligations regarding the security of the 
processing, and the confidentiality of electronic communications and directories of 
users; 

(b) notify a personal data breach to the European Data Protection Supervisor; 

(c) communicate a personal data breach without undue delay to the data subject, where 
applicable; 

(d) carry out data protection impact assessments and prior consultations as necessary. 


The contractor shall maintain a record of all data processing operations carried on behalf of 
the controller, transfers of personal data, security breaches, responses to requests for 
exercising rights of people whose personal data is processed and requests for access to 
personal data by third parties. 


The contracting authority is subject to Protocol 7 of the Treaty on the Functioning of the 
European Union on the privileges and immunities of the European Union, particularly as 
regards the inviolability of archives (including the physical location of data and services as set 
out in Article 1.9.2) and data security, which includes personal data held on behalf of the 
contracting authority in the premises of the contractor or subcontractor. 


The contractor shall notify the contracting authority without delay of any legally binding 
request for disclosure of the personal data processed on behalf of the contracting authority 
made by any national public authority, including an authority from a third country. The 
contractor may not give such access without the prior written authorisation of the contracting 
authority. 


The duration of processing of personal data by the contractor will not exceed the period 
referred to in Article II.24.2. Upon expiry of this period, the contractor shall, at the choice of 
the controller, return, without any undue delay in a commonly agreed format, all personal data 
processed on behalf of the controller and the copies thereof or shall effectively delete all 
personal data unless Union or national law requires a longer storage of personal data. 


For the purpose of Article IL10, if part or all of the processing of personal data is 
subcontracted to a third party, the contractor shall pass on the obligations referred to in 
Articles 1.9.2 and IL9.2 in writing to those parties, including subcontractors. At the request of 
the contracting authority, the contractor shall provide a document providing evidence of this 
commitment. 


